Еврокомиссия удовлетворилась обещанием компании включить в европейскую ОС Windows "избирательный экран" с возможностью выбора браузера.
Farewell to Mashup Editor. It’s not just Microsoft Popfly that’s shutting down—Google Mashup Editor will be gone in four weeks time (this was announced in January). You get to keep your code, but I don’t know enough about Mashup Editor to know if the code is usable once the system has shut down.
Popfly Shutting Down. Yet another reminder that building stuff on a closed-source platform (especially a hosted service) is risky business, even from a vendor as large as Microsoft. This certainly won’t help them make the case for Azure.
Why an OAuth iframe is a Great Idea. Because users should a) learn to be phished and b) not even be given the option to avoid being phished if they know what they’re doing? No, no and thrice no. If you want to improve the experience, use a popup window so the user can still see the site they are signing in to in the background.
Ryan Janssen: Why an OAuth iframe is a Great Idea.
The reason the OAuth community prefers that we open up a new window is that if you look at the URL in the window (the place you type in a site’s name), you would see that it says www.netflix.com* and know that you are giving your credentials to Netflix.
Or would you? I would! Other technologists would! But would you? Would you even notice? If you noticed would you care? The answer for the VAST majority of the world is of course, no. In fact to an average person, getting taken to an ENTIRELY other site with some weird little dialog floating in a big page is EXTREMELY suspicious. The real site you are trusting to do the right thing is SetJam (not weird pop-up window site).
I posted a reply comment on that post, but I’ll replicate it in full here:
Please, please don’t do this.
As web developers we have a shared responsibility to help our users stay safe on the internet. This is becoming ever more important as people move more of their lives online.
It’s an almost sisyphean task. If you want to avoid online fraud, you need to understand an enormous stack of technologies: browsers, web pages, links, URLs, DNS, SSL, certificates... I know user education is never the right answer, but in the case of the Web I honestly can’t see any other route.
The last thing we need is developers making the problem worse by encouraging unsafe behaviour. That was the whole POINT of OAuth—the password anti-pattern was showing up everywhere, and was causing very real problems. OAuth provides an alternative, but we still have a long way to go convincing users not to hand their password over to any site that asks for it. Still, it’s a small victory in a much bigger war.
If developers start showing OAuth in an iframe, that victory was for nothing—we may as well not have bothered. OAuth isn’t just a protocol, it’s an ambitious attempt to help users understand the importance of protecting their credentials, and the fact that different sites should be granted different permissions with regards to accessing their stuff. This is a difficult but critical lesson for users to learn. The only real hope is if OAuth, implemented correctly, spreads far enough around the Web that people start to understand it and get a feel for how it is meant to work.
By implementing OAuth in an iframe you are completely undermining this effort—and in doing so you’re contributing to a tragedy of the commons where selfish behaviour on the behalf of a few causes problems for everyone else. Even worse, if the usability DOES prove to be better (which wouldn’t be surprising) you’ll be actively encouraging people to implement OAuth in an insecure way—your competitors will hardly want to keep doing things the secure way if you are getting higher conversion rates than they are.
So once again, please don’t do this.
Update: It turns out Netflix already use a frame-busting script on their OAuth authentication page.
I propose that the World Wide Web would serve well as a framework for structuring much of the academic Computer Science curriculum. A study of the theory and practice of the Web’s technologies would traverse many key areas of our discipline.
- Tim Bray
The Firebug team is proud to announce the release of Firebug 1.4.0!
Starting back in Oct. 2008 with Firebug 1.4a1, the Firebug team added features (and yes we removed a few) through 1.4a31 in June, 2009. Then we worked on bugs through 11 beta releases to 1.4b11 (ok that one was today). Developed on Firefox 3.0 and tested on Firefox 3.5, Firebug 1.4 is now our recommended release for all users. We will upgrade existing users of 1.3 on Firefox 3.0. (All versions of Firebug are available from getfirebug.com, in case you want to stick with 1.3 or you need to use an older version of Firefox).
Firebug 1.4 is a true community achievement. We have had contributions from many developers and a few designers, with additions both large and small. The Firebug user interface has been translated into many different languages. We got excellent, timely help from the Firefox development team. And unheralded but sincerely appreciated, we have hundreds of users who take time to write bug reports and create test cases critical to making this complex software useful.
Over the next week we hope to give you more information about the changes in 1.4, Here are some of the highlights as a teaser:
Some more details are available in the release notes.
Followup on the newsgroup please.
Shared by arty
PHP does not make programming simpler. It just pretends that programming is simpler than it is
Не все утилиты «увидят» новое имя, но для start-stop-daemon и killall этот способ работает.
import os.path, sys, ctypes ctypes.CDLL('libc.so.6').prctl(15, os.path.basename(sys.argv), 0, 0, 0)
YQL: INSERT INTO internet. insert into twitter.status (status,username,password) values (“Playing with INSERT, UPDATE and DELETE in YQL”, “twitterusername”,“twitterpassword”)
поддавшись общей тенденции, перевёл блог с xhtml 1.1 на html5. Возиться пришлось немного, хотя и долго : ) Конечный результат, впрочем, нравится
в процессе миграции умер микроформат hAtom, хотя семантичность не пострадала:
.hentry естественным образом превращается в
.updated — в
time, и так далее
забавно получилось с эксплорером. До сегодняшнего рамках программы «сделаем ие самым неподдерживаемым браузером в интернете» я отдавал страницы с типом
application/xhtml+xml, и вы догадываетесь, к чему это приводило ; ) Почему-то мне показалось, что html5 нужно отдавать именно как понимаемый эксплорером
text/html (это неверно для xhtml5), и какое-то время я вообще сомневался в переходе. Но потом вспомнил про уровень поддержки новых тегов в ие, и успокоился. Впрочем, намёк его пользователям оставил
недавно, кстати, приделал ещё одну фичу, но это первый пост, в котором её можно увидеть: русский язык в адресе поста. Пришлось в очередной раз иметь трудную любовь с преобразованиями байтов, строк и кодировок в питоне, но зато начал немного понимать систему. Кстати, сегодня пришлось столкнуться и с ещё одной «фичей» языка — поддержкой временных зон в датах питона
The CSS Working Group has just published a Last Call Working Draft of the CSS Multi-column Layout module Level 3. This module defines properties to flow content into multiple columns, a common layout feature in print publications such as newspapers. Major changes since the last publication include changes to the syntax of column-breaking controls and an example of text wrapping around floats in a later column.
The deadline for comments is 1 October 2009. This is an unusually-long Last Call period because we want to encourage a wider review of the module and to make sure implementors are ready for everything in the draft to be locked down for CR. Please send comments to firstname.lastname@example.org with [css3-multicol] and your comment topic in the subject header. (And if you insist on posting your comments elsewhere, at least have someone forward them there. Seriously.)
Yahoo! proposal to open source “Traffic Server” via the ASF. Traffic Server is a “fast, scalable and extensible HTTP/1.1 compliant caching proxy server” (presumably equivalent to things like Squid and Varnish) originally acquired from Inktomi and developed internally at Yahoo! for the past three years, which has been benchmarked handling 35,000 req/s on a single box. No source code yet but it looks like the release will arrive pretty soon.
Turns out, a lot of people are saddened by the loss of a spec they don’t understand, and if they did, would not bother using.
The Register’s Ted Dziuba wrote a rant about a recent Google App Engine’s downtime, and Google’s handling of it. (I can attest the App Engine is down more often than it would be healthy for a website which hopes to gain visitors... we had to experience this with our app, CaptionX, although Google’s service was free and Google additionally supported us with extra capacity.) Ted writes:
App Engine developers must go through the effort to contort their program to Google’s data storage mechanism, which in some cases can be a far cry from SQL. The benefit to this is that you don’t have to worry about scalability, ever. Allegedly. It’s sort of like how a heroin addiction means that you don’t have to worry about reality, ever.
As with anything that flies through a cloud, Google App Engine can suffer a double flame-out and crash to the ground, killing hundreds and swearing a large subset of the population off of air travel for quite some time. Google has paying customers for App Engine, and maybe Wonka doesn’t quite understand this, but when people pay you for a service, they expect a certain amount of transparency and honesty.
[By Philipp Lenssen | Origin: On Google App Engine Downtimes | Comments]
Tips on using python’s datetime module. Wow. I’ve run in to problems with datetime and timezones before, but I had no idea how intrinsic those problems were to the design of the library.
Yes, it’d be nice if everyone kept up to date on the progress of the various W3C working groups. They don’t. There are a lot of people who asked what professional markup looked like and were told (right or wrong) that XHTML was the future. So they went ahead and learned XHTML, built their websites and chose watching a DVD or spending time with their kids over watching Mark Pilgrim and Sam Ruby do battle over Postel’s Law. Now all of a sudden they’re told XHTML is dead. Some wailing and gnashing of teeth is to be expected. What’s needed is less “boy aren’t I smarter than them” snideness, and more Hey, here’s what’s up.
случайно нашёл текст «Surrogate Scripts vs Google Analytics», рассказывающий об интересной проблеме: иногда яваскрипт-программисты используют в коде дополнительные возможности внешних инструментов типа Google Analytics, и когда пользователь избирательно блокирует такие сборщики статистики, яваскрипт ломается. Например, если в обработчике
onclick кнопки первым делом вызывается
urchinTracker(…), который определён в забаненном urchin.js, то остальной код обработчика просто не выполнится
статья предлагает решение такой проблемы со стороны пользователя при помощи некоторых фич Greasemonkey. Как обычно, того же эффекта можно добиться и в опере, но меня эта проблема не касается: я намеренно не блокирую счётчики, чтобы не ухудшать показатели оперы в статистике
а волнует меня эта проблема со стороны разработчика: нужно помнить не только о том, что яваскрипт может оказаться недоступен, но и том, что недоступной может стать только часть его. Конечно, в осторожности нужно знать меру, и границей здесь логично сделать границу между внутренними и внешними скриптами. Хотя мне и не по душе реализующий ту же концепцию разделения трюк Резига «выполнять этот код только при загрузке скрипта»
в общем, рекомендую:
window.urchinTracker && window.urchinTracker(…);
FAQs about the future of XHTML. The XHTML 2 Working Group charter will not be renewed after 2009—as far as the W3C are concerned, XHTML5 is the future of XHTML.
Today we are happy to release the specification for the Scope protocol. This is the protocol used for communication between the Opera browser and Opera Dragonfly. It is also used here at Opera for automated testing.
Since the release of Opera Dragonfly, we have tried to keep the project open source. The source and its documentation is available under BSD licence, but it is difficult to expand it or create something different without the protocol specification. This release wants to rectify that.
The documentation is more or less as we have used it internally to communicate inside the team, which means that some documentation is missing simply because everyone on the team knew what it was about. If something is unclear, let us know in the comments.
One of the reasons we are releasing right now, is that other browser makers have started discussing how to do remote debugging. Since the very start we have focused specifically on this, so we want to share our experience and ideas with everyone else.
Our next release will be a public build of Opera using STP/1, together with tools to help you get started with communication through STP/1.
Enjoy the read!
Codecs for <audio> and <video>. HTML 5 will not be requiring support for specific audio and video codecs—Ian Hickson explains why, in great detail. Short version: Apple won’t implement Theora due to lack of hardware support and an “uncertain patent landscape”, while open source browsers (Chromium and Mozilla) can’t support H.264 due to the cost of the licenses.